Created
April 2, 2016 18:11
-
-
Save danechitoaie/ccf16f5414443c0576db96531814653a to your computer and use it in GitHub Desktop.
Invision Power Board v4 Nginx configuration file for use with Centminmod.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # IPB4 Working NGINX site conf file | |
| # Tested on IPB 4.1.8.1+ and Centminmod 123.09beta01 | |
| # This file is for a FORCED SSL site. Non-SSL requests will be directed to SSL. | |
| # Replace 10.0.0.121 with your IP address or domain name. | |
| # Information gathered from | |
| # Centminmod.com / Information pulled from multiple guides. Thx eva2000! | |
| # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide. | |
| # Base building forum thread: https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/ | |
| # Anyone else not mentioned who helped modify and create this file: Thanks! | |
| # Redirect to HTTPS from port 80 | |
| # Redirect from www to non-www with forced SSL | |
| server { | |
| listen 80; | |
| server_name 10.0.0.121; | |
| return 301 https://10.0.0.121$request_uri; | |
| # Access and Error Logs | |
| access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m; | |
| error_log /home/nginx/domains/10.0.0.121/log/error_via80.log; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| server_name 10.0.0.121; | |
| root /home/nginx/domains/10.0.0.121/public; | |
| ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem; | |
| ssl_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt; | |
| ssl_certificate_key /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key; | |
| include /usr/local/nginx/conf/ssl_include.conf; | |
| # Mozilla Recommended | |
| ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA; | |
| ssl_prefer_server_ciphers on; | |
| # add_header Alternate-Protocol 443:npn-spdy/3; | |
| # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains. | |
| # You'd want to include subdomains if you're using SSL wildcard certificates | |
| # include subdomain | |
| # add_header Public-Key-Pins 'pin-sha256="kUtRfCe0JWOz1gw4DOGvf15QCfSLkIrlu+eOpf/PFOg="; pin-sha256="7nF+BczNEgtaZKE9fU80QwigQ+9Ip5S4AhR8CYM/U70="; max-age=86400; includeSubDomains'; | |
| # exclude subdomains | |
| # add_header Public-Key-Pins 'pin-sha256="kUtRfCe0JWOz1gw4DOGvf15QCfSLkIrlu+eOpf/PFOg="; pin-sha256="7nF+BczNEgtaZKE9fU80QwigQ+9Ip5S4AhR8CYM/U70="; max-age=86400'; | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
| add_header X-Frame-Options SAMEORIGIN; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| # spdy_headers_comp 5; | |
| ssl_buffer_size 1400; | |
| ssl_session_tickets on; | |
| # enable ocsp stapling | |
| # resolver 8.8.8.8 8.8.4.4 valid=10m; | |
| # resolver_timeout 10s; | |
| # ssl_stapling on; | |
| # ssl_stapling_verify on; | |
| # ssl_trusted_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121-trusted.crt; | |
| # ngx_pagespeed & ngx_pagespeed handler | |
| # include /usr/local/nginx/conf/pagespeed.conf; | |
| # include /usr/local/nginx/conf/pagespeedhandler.conf; | |
| # include /usr/local/nginx/conf/pagespeedstatslog.conf; | |
| # add_header X-Xss-Protection "1; mode=block" always; | |
| # add_header X-Xss-Protection "1; mode=block" always; | |
| # add_header X-Content-Type-Options "nosniff" always; | |
| # Limit Connections Per IP Address | |
| # Modified from default to allow Admin directory to have more connections | |
| # Modified in nginx.conf | |
| # limit_conn_zone $limitconn_map zone=limit_per_ip:16m; | |
| # ssi on; | |
| # Access and Error Logs | |
| access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m; | |
| error_log /home/nginx/domains/10.0.0.121/log/error_via443.log; | |
| # Prevent access to ./directories and files | |
| location ~ (?:^|/)\. { | |
| deny all; | |
| } | |
| location / { | |
| # block common exploits, sql injections etc | |
| include /usr/local/nginx/conf/block.conf; | |
| # Enables directory listings when index file not found | |
| # autoindex on; | |
| # Shows file listing times as local time | |
| autoindex_localtime on; | |
| try_files $uri $uri/ /index.php; | |
| } | |
| location ~^(/page/).*(\.php)$ { | |
| try_files $uri $uri/ /index.php; | |
| } | |
| # Mask fake admin directory | |
| # Must comment this during install. Uncomment after you change the name of the admin directory. | |
| location ~^/admin/(.*)$ { | |
| deny all; | |
| } | |
| # Secure real admin directory | |
| # Replace /your_admin_renamed_directory/ with your renamed directory. | |
| #location /your_admin_renamed_directory/ { | |
| # auth_basic "Private"; | |
| # auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php; | |
| # include /usr/local/nginx/conf/php.conf; | |
| # allow 127.0.0.1; | |
| # allow YOURIPADDRESS; | |
| # deny all; | |
| #} | |
| # IP.Board PHP/CGI Protection | |
| # Allow access to interface files | |
| location ~^(/applications/*/interface/).*(\.php)$ { | |
| allow all; | |
| } | |
| location ~^(/uploads/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/system/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/datastore/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/plugins/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/blog/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/calendar/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/chat/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/cms/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/core/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/downloads/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/forums/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/gallery/).*(\.php)$ { | |
| deny all; | |
| } | |
| location ~^(/applications/nexus/).*(\.php)$ { | |
| deny all; | |
| } | |
| include /usr/local/nginx/conf/staticfiles.conf; | |
| include /usr/local/nginx/conf/php.conf; | |
| include /usr/local/nginx/conf/drop.conf; | |
| #include /usr/local/nginx/conf/errorpage.conf; | |
| include /usr/local/nginx/conf/vts_server.conf; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment